Making progress... but still need some pointers. On Tue, Apr 25, 2023 at 4:01 PM BuzzSaw Code <buzzsaw.c...@gmail.com> wrote: > > You don't need or want to know the anonymous principal's password - > you should use randkey. Getting a password prompt for those creds > means something is missing in the config.
OK. Agreed. > > You probably need to set some of the PKINIT parameters since they seem This seems to be a missing point in my configuration. I just followed: https://web.mit.edu/kerberos/www/krb5-latest/doc/admin/pkinit.html to attempt to get pkinit working for anonymous credentials. I generated the CA and the KDC cert/key and updated the config file (/etc/krb5kdc/kdc.conf): ---<cut>--- [kdcdefaults] kdc_ports = 750,88 kdc_tcp_listen = 88 [realms] MYDOMAIN.COM = { database_name = /var/lib/krb5kdc/principal admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab acl_file = /etc/krb5kdc/kadm5.acl key_stash_file = /etc/krb5kdc/stash kdc_ports = 750,88 max_life = 10h 0m 0s max_renewable_life = 7d 0h 0m 0s default_principal_flags = +preauth pkinit_identity = FILE:/etc/krb5kdc/kdc.pem,/etc/krb5kdc/kdckey.pem } ---<cut>--- > to be tied to FAST as well in your krb5.conf on your client: > > YOURREALM = { > pkinit_kdc_hostname = yourkdc.fqdn > } > OK. Thanks! I added that to my /etc/krb5.conf. $ kinit -n -c /tmp/somecache Password for WELLKNOWN/anonym...@mydomain.com: In the KDC logs I see: Apr 25 16:56:05 auth-test krb5kdc[226122]: AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 2607:ea00:200:60::13: NEEDED_PREAUTH: WELLKNOWN/anonym...@mydomain.com for krbtgt/mydomain....@mydomain.com, Additional pre-authentication required Apr 25 16:56:05 auth-test krb5kdc[226122]: closing down fd 14 I see the "additional pre-authentication required". I check the anonymous principal: kadmin.local: get_principal WELLKNOWN/anonym...@mydomain.com Principal: WELLKNOWN/anonym...@mydomain.com Expiration date: [never] Last password change: Tue Apr 25 16:04:45 CDT 2023 Password expiration date: [never] Maximum ticket life: 0 days 10:00:00 Maximum renewable life: 7 days 00:00:00 Last modified: Tue Apr 25 16:04:45 CDT 2023 (root/ad...@mydomain.com) Last successful authentication: Tue Apr 25 15:06:53 CDT 2023 Last failed authentication: Tue Apr 25 15:04:26 CDT 2023 Failed password attempts: 0 Number of keys: 2 Key: vno 3, aes256-cts-hmac-sha1-96 Key: vno 3, aes128-cts-hmac-sha1-96 MKey: vno 1 Attributes: REQUIRES_PRE_AUTH So I remove the preauth requirement: kadmin.local: modprinc -requires_preauth WELLKNOWN/anonym...@mydomain.com Principal "WELLKNOWN/anonym...@mydomain.com" modified. However, when I try: $ kinit -n -c /tmp/somecache Password for WELLKNOWN/anonym...@mydomain.com: I still get a password prompt and the KDC logs still say: NEEDED_PREAUTH for the WELLKNOWN/anonym...@mydomain.com principal. Any ideas what I am missing to get pkinit working with anonymous credentials? Thanks for the help! -m ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos